Rights of data subjects under GDPR – Part II

The GDPR grants data subjects a wide range of rights, some of which are an expansion of rights which are currently afforded to them under the Data Protection Act, while others are entirely new. Our October blog post covered two of these rights: the right of access (data subject access requests) and the right to portability. In this month’s post, we will address the right to rectification, the right to erasure, the right to restriction of processing and the right to object to processing.

These rights must be brought to the attention of the data subject no later than the time of first communication with them. They must be presented clearly and separately from other information, for example under a separate section in a privacy policy.

Right to rectification

Organisations will already be familiar with this right, as it reflects the position under current law. Data subjects have the right to have inaccurate personal data rectified and incomplete personal data completed. Controllers must ensure they comply with such requests ‘without undue delay’.

Right to erasure

Also known as the ‘right to be forgotten’, this right allows for the erasure of personal data if:

• the personal data is no longer necessary in relation to the purpose for which it was collected or processed;
• the data subject has withdrawn its consent and there is no other legal ground for the processing;
• the data subject objects to the processing and the data controller has no overriding grounds for continuing the processing;
• the personal data has been processed unlawfully; or
• erasure is necessary for compliance with EU law or the Member State’s national law.

However, this right is not absolute. An organisation can refuse to comply with a request for erasure where processing is necessary for:

• exercising the right to freedom of expression and information;
• complying with a legal obligation or for the performance of a task carried out in the public interest;
• public interest purposes in the area of public health;
• archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
• the establishment, exercise or defence of legal claims.

Right to object and automated decision making

Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either (i) public interest or (ii) the controller’s legitimate interests. If the data subject exercises this right, the controller must cease processing unless it:

• can demonstrate compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms; or requires the data to establish, exercise or defend legal claims.

Data subjects have the right to object at any time to processing for direct marketing purposes, including profiling to the extent that it relates to direct marketing. Where the data subject objects to processing for direct marketing purposes, the controller must cease processing for such purposes.

Data subjects also have the right not to be subject to a decision based solely on automated processing which significantly affects them (including profiling). In addition, they have the right to object to processing that is carried out for scientific and historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to restriction of processing

The GDPR introduces the right to restriction of processing. This means that, if a data subject exercises this right, the data controller will only be able to process that data for limited purposes. Some of the circumstances in which a data subject may do so are clear, such as:

• where the accuracy of the data is contested, in which case the data controller must stop processing for as long as it takes to verify the accuracy; or
• the data subject has objected to the processing, pending the verification whether the data controller’s legitimate grounds override the data subject’s rights.

The other grounds are less clear, and we await further guidance as to how they will apply in practice. These cover the circumstances where:

• the processing is unlawful and the data subject requests a restriction, as opposed to erasure, of the data; or
• the controller no longer needs the personal data, but the data subject does for establishing, exercising or defending a legal claim.

Conclusion

Understanding these rights is essential for data controllers, as their processing activities may be limited in the event these rights are exercised. Data processors should also be aware of these rights although liability for compliance will remain with the controller.

In preparation for the GDPR, all organisations are advised to review their privacy policies to ensure data subjects’ rights are set out, and train their staff on how to recognise and respond promptly to requests from data subjects.